b"Oversight Review              January 27, 2012\n\n\n Quality Control Review of Army Audit Agency's\n         Special Access Program Audits\n\n         Report No. DODIG-2012-045\n\x0cAdditional Information and Copies\nThe Department of Defense, Office of the Assistant Inspector General for Audit Policy\nand Oversight, prepared this report. To obtain additional copies of the final report, visit\nwww.dodig.mil/audit/reports or contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight at (703) 604-8760 or fax (571) 372-7454.\n\nSuggestions for Reviews\nTo suggest or request reviews, contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight by phone (703) 604-8760 (DSN 664-8760), by fax\n(571) 372-7454, or by mail:\n\n                       Department of Defense Inspector General\n                       OIG-APO\n                       ATTN: Suite 11D28\n                       4800 Mark Center Drive\n                       Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nAAA                           Army Audit Agency\nSAP                           Special Access Programs\nGAGAS                         Generally Accepted Government Auditing Standards\n\x0c\x0cAppendix A. Comments, Observations, and\nRecommendations\nWe are issuing a pass opinion because we determined that the Army Audit Agency\xe2\x80\x99s\n(AAA) quality control system is adequately designed and functioning as prescribed. The\nconcerns we identified during our review of the selected AAA audit reports were not\ncumulatively significant enough to indicate that material deficiencies existed in the AAA\nquality control system for complying with generally accepted government auditing\nstandards (GAGAS).\n\nWe identified areas of concern relating to independence, planning, audit documentation,\nand quality control. We judgmentally tested the reports for compliance with GAGAS and\nAAA audit policies in nine areas to include independence, professional judgment,\ncompetence, audit planning, supervision, evidence, audit documentation, reporting and\nquality control.\n\nIndependence\nWe found that the program director did not sign the independence statement for the audit\nmanager which was documented in the audit working paper files for one of the two audits\nreviewed.\n\nGAGAS 3.02 (2007 Revision) states that in all matters relating to the audit work, the\naudit organization and the individual auditor, whether government or public, must be free\nfrom personal, external, and organizational impairments to independence, and must avoid\nthe appearance of such impairments of independence.\n\nUSAAA Regulation No. 36-3, Audit Survey and Execution, dated October 17, 2003,\nChapter 2, Section 4, Independence states that to comply with the independence standard,\nthe Auditor-in-Charge must determine and document whether any audit team members\nhave any personal impairments to independence based on the audited activity or subject\nmatter of the audit. Auditors are responsible for notifying audit management if they have\na personal impairment to independence. This must be completed before starting any\naudit work.\n\nWhile the audit documentation did not include a signed independence statement for the\naudit manager, the independence statements for all other auditors assigned to the audit,\nincluding the program director and auditor-in-charge, were also part of the audit\ndocumentation. The audit manager stated that it was an oversight that the independence\nstatement was not documented in the audit files.\n\nRecommendation\nWe recommend that the AAA Program Director for Intelligence and Security audits\nremind auditors to follow AAA guidance for preparing, reviewing and documenting\nauditor independence for all auditors assigned to the audit to include audit managers.\n\n\n\n\n                                            1\n\x0cManagement Comments\nThe Army Audit Agency\xe2\x80\x99s Deputy Auditor General concurred with the recommendation and\nstated that on December 7, 2011, the program director sent an e-mail to all special access\nprogram personnel discussing the results of the quality control review and re-emphasized the\nrequirements of USAAA Regulation No. 36-3 (Audit Survey and Execution) relating to the\nneed for auditors, specialists and independent reviewers to review and sign independence\nstatements upon assignment to an engagement.\n\nReviewer Response\nManagement comments are responsive. The program director\xe2\x80\x99s December 7, 2011\ne-mail requires that the auditors follow USAAA Regulation No. 36-2 by including\nindependence statements in the working papers and having the appropriate supervisor\nsign the independence statements.\n\nPlanning\nWe found that for one of the two audits reviewed, the auditors did not prepare\naudit working papers or memorandums for record to document meetings with\nAAA management regarding progress and results of audited areas.\n\nGAGAS 7.12e (2007 Revision) states that auditors should communicate about\nplanning and performance of the audit to management officials, those charged\nwith governance, and others as applicable.\n\nUSAAA Regulation No. 36-2, Planning the Audit, dated February 24, 2009, Section 8-1,\nPurpose of Planning Decision Gate states that decision gates allow for program directors,\naudit managers, and Auditors-in-Charge to plan and conduct engagements and to reach\nagreements on how engagement results will be presented in the report. The intent of the\ndecision gates is to ensure all engagements are managed more effectively and feedback is\nprovided to the customer in a timely manner. Typical Agency audits and attestation\nengagements require four decision gates: planning, 30 percent in-process review, 60\npercent review, and message agreement. The primary purpose of the planning decision\ngate meeting is to ensure that the auditors are in agreement on the focus of the\nengagement and that the auditors have the capability to perform the engagement as\nplanned.\n\nUSAAA Regulation No. 36-2, Planning the Audit, dated February 24, 2009, Section 8-4,\nDocumenting the Planning Meeting states that the Auditor-in-Charge is responsible for\nensuring the planning meeting, and any decisions made therein, is documented.\n\nSince the audit documentation did not contain a working paper or memorandum of the\nmeetings between the Army auditors and AAA audit management regarding the progress\nof the audit, we could not determine whether audit management either approved the\nprogress of the audit plan that the auditors presented or discussed other audit approaches.\n\nRecommendation\nWe recommend that the AAA Program Director for Intelligence and Security audits\nremind auditors to include documentation of meetings with AAA audit management\n\n\n                                             2\n\x0cregarding any audit planning decisions made to comply with USAAA Regulation No.\n36-2.\n\nManagement Comments\nThe Army Audit Agency\xe2\x80\x99s Deputy Auditor General concurred with our recommendation\nand stated that on December 7, 2011, the program director sent an e-mail to all special\naccess program personnel discussing the results of the quality control review and re-\nemphasized the requirements of USAAA Regulation No. 36-2 (Planning the Audit)\nrelated to the need for teams to document in working papers the decisions made at\nplanning decision meetings.\n\nReviewer Response\nManagement comments are responsive. The program director\xe2\x80\x99s December 7, 2011\ne-mail requires that the planning decision gate meetings be documented using a working\npaper or memorandum for the record. The e-mail also states that the working paper or\nmemorandum for the record should include those who attended the meeting and the\ndecisions made at the meeting to comply with USAAA Regulation No. 36-2.\n\nAudit Documentation\nWe found that for one of the two audits reviewed, auditors did not prepare working\npapers or memorandums for record to document in-process reviews with audit\nmanagement and Army command.\n\nGAGAS 7.77 (2007 Revision) states that auditors should prepare audit documentation\nrelated to planning, conducting, and reporting for each audit. Auditors should prepare\naudit documentation in sufficient detail to enable an experienced auditor, having no\nprevious connection to the audit, to understand from the audit documentation the nature,\ntiming, extent, and results of audit procedures performed, the audit evidence obtained and\nits source, and the conclusions reached, including evidence that supports the auditors\xe2\x80\x99\nsignificant judgments and conclusions.\n\nUSAAA Regulation No. 36-3, Audit Survey and Execution, dated October 17, 2003,\nChapter 4, Section 4, In-Process Review states that the audit team will hold an in-process\nreview (audit update briefing) with command personnel 45 to 60 days after the entrance\nconference. The purpose of the in-process review is for the audit team to assess audit\nprogress and provide command an update on the audit status and the plan for audit\nexecution. This briefing also provides command with an opportunity to provide input on\nthe survey results and execution phase.\n\nUSAAA Regulation No. 36-3, Audit Survey and Execution, dated October 17, 2003,\nChapter 4, Section 5, Documenting the In-Process Review states that the Auditor-in-\nCharge or designated team member should document the results and decisions made at\nthe in-process review in a memorandum for the record. This memorandum should\ninclude:\n\n   \xe2\x80\xa2   Date, time, and location of the meeting.\n\n\n\n                                            3\n\x0c   \xe2\x80\xa2   List of attendees and contact information (phone number, office location, e-mail\n       address).\n\n   \xe2\x80\xa2   Summary of meeting results including command comments and concerns.\n\n   \xe2\x80\xa2   Agreements made between the audit team and command.\n\n   \xe2\x80\xa2   A copy of the charts used to provide the briefing (as an attachment).\n\nThe auditors should file the in-process review memorandum in the Correspondence and\nConference Notes section of the working paper file.\n\nWe identified audit files that contained briefing charts discussed with audit management\nand Army command, but the audit files did not contain a memorandum for record.\nTherefore, we could not determine who attended the meetings and if audit management\nor Army command had any comments or concerns relating to the briefings.\n\nRecommendation\nWe recommend that the AAA Program Director for Intelligence and Security audits\nremind auditors to document results and decisions made at in-process reviews in an audit\nworking paper or memorandum to comply with USAAA Regulation No. 36-3.\n\nManagement Comments\nThe Army Audit Agency\xe2\x80\x99s Deputy Auditor General concurred with our recommendation\nand stated that on December 7, 2011, the program director sent an e-mail to all special\naccess program personnel discussing the results of the quality control review and\nre-emphasized the requirements of USAAA Regulation No. 36-3 (Audit Survey and\nExecution) related to the need for teams to document the decisions made during\nin-process reviews.\n\nReviewer Response\nManagement comments are responsive. The program director\xe2\x80\x99s e-mail dated\nDecember 7, 2011, requires that auditors document the internal in-process reviews and\ncommand in-process reviews using a working paper or memorandum for the record.\n\nQuality Control\nWe found that for one of the two audits reviewed, the working papers did not include\na completed quality control checklist.\n\nGAGAS 3.50a (2007 Revision) states that each audit organization performing audits\nor attestation engagements in accordance with GAGAS must establish a system of\nquality control that is designed to provide the audit organization with reasonable\nassurance that the organization and its personnel comply with professional standards\nand applicable legal and regulatory requirements.\n\nUSAAA Regulation 36-62, Quality Assurance Program, dated April 16, 2008, Section\n2-3, Quality Control Checklist states the following:\n\n\n\n                                            4\n\x0c   a. The auditor-in-charge and audit manager will complete the appropriate quality\n      control checklist to document compliance with GAGAS throughout the audit.\n\n   b. The quality control checklists provide a roadmap for the audit; they include\n      separate sections on the planning, survey, and execution; report writing; and\n      report reply process phases.\n\n   c. Auditors-in-charge are required to answer each element of the checklist with a\n      \xe2\x80\x9cyes,\xe2\x80\x9d \xe2\x80\x9cno,\xe2\x80\x9d or \xe2\x80\x9cnot applicable;\xe2\x80\x9d initial that each quality control step was\n      completed; provide relevant working paper citations for positive responses;\n      and explain negative answers or steps marked as not applicable.\n\n   d. Before the final report is issued, both the audit manager and the program\n      director will sign the final page of the quality control checklist. The audit\n      manager\xe2\x80\x99s signature validates that the audit complied with GAGAS and\n      Agency policies. The program director\xe2\x80\x99s signature indicates that nothing came\n      to their attention that the audit wasn\xe2\x80\x99t conducted in accordance with GAGAS\n      and Agency policies.\n\n   e. The completed checklist and signatures will be documented in the working\n      paper files.\n\nThe audit working paper files did not include a completed quality control checklist.\nSpecifically, the checklist areas relating to reporting and the command reply process were\nnot completed. The auditors did not answer the checklist sections of the reporting and the\nreply process with a \xe2\x80\x9cyes,\xe2\x80\x9d \xe2\x80\x9cno,\xe2\x80\x9d or \xe2\x80\x9cnot applicable.\xe2\x80\x9d AAA issued the final report\nwithout completing all of the sections of the checklist. The auditors indicated that it was\nan oversight that the checklist was not been completed.\n\nRecommendation\nWe recommend that the AAA Program Director for Security and Intelligence follow the\nAAA quality assurance program and ensure that all sections of the quality control\nchecklist are completed and a copy of the checklist is maintained in the audit files.\n\nManagement Comments\nThe Army Audit Agency\xe2\x80\x99s Deputy Auditor General concurred with our recommendation\nand stated that on December 7, 2011, the program director sent an e-mail to all special\naccess program personnel discussing the results of the quality control review and re-\nemphasized the requirements of USAAA Regulation No. 36-62 (Quality Assurance\nProgram) related to the need for teams to complete all sections of the quality control\nchecklist and to include a copy of the checklist in the working papers.\n\nReviewer Response\nManagement comments are responsive. The program director\xe2\x80\x99s e-mail dated\nDecember 7, 2011, reminded the special access program personnel to complete all\nsections of the quality control checklist and to include a copy of the checklist in the\nworking papers.\n\n\n\n                                              5\n\x0cAppendix B. Scope and Methodology\nWe limited our review to the adequacy of AAA SAP audits\xe2\x80\x99 compliance with quality\npolicies, procedures, and standards. We judgmentally selected two SAP audits from a\nuniverse of four SAP audit reports issued by AAA SAP auditors during FY 2009 and\nFY 2010. We tested each audit for compliance with the AAA system of quality control.\nThe Naval Audit Service conducted a review of the AAA internal quality control system\nfor non-SAP audits and/or attestation engagements, and will issue a separate report. The\nDeputy Inspector General for Audit Policy and Oversight will issue an overall opinion\nreport on the AAA internal quality control system that will include the combined results\nof the SAP and non-SAP audit reviews.\n\nIn performing our review, we considered the requirements of quality control standards\ncontained in the 2007 revision of GAGAS issued by the Comptroller General of the\nUnited States. GAGAS 3.56 states:\n\n               The audit organization should obtain an external peer review sufficient\n               in scope to provide a reasonable basis for determining whether the audit\n               organization is complying with its quality control system in order to\n               provide the audit organization with reasonable assurance of conforming\n               with applicable professional standards.\n\nWe conducted this review in accordance with standards and guidelines established in the\nMarch 2009 Council of the Inspectors Generals on Integrity and Efficiency \xe2\x80\x9cGuide for\nConducting External Peer Reviews of Audit Organizations of the Federal Offices of\nInspector General,\xe2\x80\x9d and the Quality Standards for Inspection and Evaluation. The Naval\nAudit Service used this guide in review of non-SAP audits at the AAA. We reviewed\naudit documentation, interviewed AAA auditors, and reviewed AAA internal audit\npolicies. We reviewed the DOD OIG Report No. D-2008-6-006, \xe2\x80\x9cQuality Control\nReview of the Army Audit Agency\xe2\x80\x99s Special Access Program Audits\xe2\x80\x9d dated June 2,\n2008. We performed this review from September to November at two AAA offices.\n\nWe used the following criteria to select the audits under review:\n\n   x   Worked backward starting with the FY 2010 audits in order to review the most\n       current quality assurance procedure in place.\n\n   x   Avoided audits with multiple SAPs associated with the audit for ease of access.\n\n   x   Avoided audits that have the same or similar titles to ensure review of multiple\n       types of projects.\n\nLimitations of Review\nOur review would not necessarily disclose all weaknesses in the system of quality control\nor all instances of noncompliance because we based our review on selective tests. There\nare inherent limitations in considering the potential effectiveness of any quality control\nsystem. In performing most control procedures, departures can result from\n\n\n\n                                                  6\n\x0cmisunderstanding of instructions, mistakes of judgment, carelessness, or other human\nfactors. Projecting any evaluation of a quality control system into the future is subject to\nthe risk that one or more procedures may become inadequate because conditions may\nchange or the degree of compliance with procedures may deteriorate.\n\n\n\n\n                                             7\n\x0cDepartment of the Army, U.S. Army Audit\nAgency Comments\n\n\n\n\n                     8\n\x0c9\n\x0c10\n\x0c\x0c"